Mozilla’s New Update Fixes Vulnerabilities in Firefox
Mozilla released ten security patches on February 8, 2008 to fix vulnerabilities in its Firefox browser, which has at least three critical flaws. Firefox version 126.96.36.199 is the latest version of the browser.
The update, which is Mozilla's first one for 2008, corrects critical issues relating to Firefox's manner of handling Web-browser history, cross-site scripting, privilege escalation, and other security holes that could cause system to breakdown due to memory corruption.
According to Mozilla's advisories released on February 7, 2008, exploitation of the vulnerability in Web-browsing history could allow execution of arbitrary software on a user's PC while by violating the flaw with privilege escalation, an attacker could inject code onto a targeted site. SC Magazine reported this on February 8, 2008.
Mozilla also plugged a "high" risk hole in the manner Firefox uses URI (Uniform Resource Identifier) schemes. The browser's URI vulnerability, a discovery by Security Researcher named Gerry Eisenhaur, received the greatest publicity. That vulnerability, which, according to Eisenhaur, could allow an attacker to exploit through numerous Firefox extensions, had been discussed on many of Mozilla's Chief of Security Window Snyder's blog postings. ComputerWorld reported this on February 8, 2008.
The bug is also exploitable to seize the contents of Firefox's sessionstore.js file that holds data for session cookies and information relating to publicly accessible sites.
The final critical bug relates to a flaw in memory corruption that with adequate effort could be exploited to execute arbitrary software, Mozilla said. Washingtonpost reported this on February 8, 2008.
While developers of Mozilla update the Firefox 2.x series for relevant patches, work is also being conducted to develop the next generation of Firefox.
Related article: Mozilla Rules Out Bug in Its Firefox
» SPAMfighter News - 15-02-2008